henices/CVE-2024-22669.txt

## CVE-2024-22669.txt
[CVE ID]
CVE-2024-22669

[PRODUCT]
Vim is a highly configurable text editor built to make creating and changing any kind of text very efficient.
It is included as "vi" with most UNIX systems and with Apple OS X.

[AFFECTED VERSION]
vim - vim  < 9.0.2143 are affected, fixed in 9.0.2143

[PROBLEM TYPE]
Buffer Overflow

[DESCRIPTION]
vim < 9.0.2143 is vulnerable to Buffer Overflow in ex_substitute.

[TECHNICAL DETAILS]

./vim -u NONE -i NONE -X -Z -m -n -e -s -S poc -c ':qa!'

==189302==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000575f at pc 0x000000534c5c bp 0x7ffc5f31ae80 sp 0x7ffc5f31ae78
READ of size 1 at 0x60600000575f thread T0
    #0 0x534c5b in ex_substitute /home/henices/tests/vim/src/ex_cmds.c:4743
    #1 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #2 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #3 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
    #4 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
    #5 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
    #6 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #7 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #8 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
    #9 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
    #10 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
    #11 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #12 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #13 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
    #14 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
    #15 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
    #16 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #17 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #18 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
    #19 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
    #20 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
    #21 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #22 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #23 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
    #24 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
    #25 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
    #26 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #27 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #28 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
    #29 0x7a1565 in do_source /home/henices/tests/vim/src/scriptfile.c:1907
    #30 0x7a259e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1253
    #31 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
    #32 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #33 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #34 0x55edd6 in do_cmdline_cmd /home/henices/tests/vim/src/ex_docmd.c:588
    #35 0x9d95b7 in exe_commands /home/henices/tests/vim/src/main.c:3173
    #36 0x9d95b7 in vim_main2 /home/henices/tests/vim/src/main.c:790
    #37 0x9dc30f in main /home/henices/tests/vim/src/main.c:441
    #38 0x7fc67ccd1149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420)
    #39 0x7fc67ccd120a in __libc_start_main_impl (/lib64/libc.so.6+0x2820a) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420)
    #40 0x4074d4 in _start (/home/henices/tests/vim/src/vim+0x4074d4) (BuildId: f58f836b397bb305c28092d23847feabbcd502a6)

0x60600000575f is located 0 bytes after 63-byte region [0x606000005720,0x60600000575f)
allocated by thread T0 here:
    #0 0x7fc67d2d92ef in malloc (/lib64/libasan.so.8+0xd92ef) (BuildId: 6f17f87dc4c1aa9f9dde7c4856604c3a25ba4872)
    #1 0x40776f in lalloc /home/henices/tests/vim/src/alloc.c:246
    #2 0x407824 in alloc /home/henices/tests/vim/src/alloc.c:151
    #3 0x5347f3 in ex_substitute /home/henices/tests/vim/src/ex_cmds.c:4653
    #4 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #5 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #6 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
    #7 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
    #8 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
    #9 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #10 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #11 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
    #12 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
    #13 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
    #14 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #15 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #16 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
    #17 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
    #18 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
    #19 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #20 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #21 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
    #22 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
    #23 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
    #24 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #25 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #26 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
    #27 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
    #28 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
    #29 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #30 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
    #31 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
    #32 0x7a1565 in do_source /home/henices/tests/vim/src/scriptfile.c:1907
    #33 0x7a259e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1253
    #34 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
    #35 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
    #36 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/henices/tests/vim/src/ex_cmds.c:4743 in ex_substitute
Shadow bytes around the buggy address:
  0x606000005480: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x606000005500: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x606000005580: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x606000005600: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x606000005680: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
=>0x606000005700: fa fa fa fa 00 00 00 00 00 00 00[07]fa fa fa fa
  0x606000005780: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x606000005800: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x606000005880: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x606000005900: 00 00 00 00 00 00 00 07 fa fa fa fa fa fa fa fa
  0x606000005980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==189302==ABORTING

[Reporter]
Zhen Zhou of NSFOCUS Tianji Lab

[Solution]
Update vim to 9.0.2143 or newer version.

[References]
http://www.vim.org/
https://github.com/vim/vim/commit/abfa13ebe92d81aaf66669c428d767847b577453

[Disclosure Timeline]
2023/11/28 - Issue reported to vendor
2023-12-02 - Vendor fix the issues
2024-01-29 - CVE Team RESERVED CVE-2024-22669 for this issue
2021-02-04 - Public Release
	[CVE ID]
	CVE-2024-22669

	[PRODUCT]
	Vim is a highly configurable text editor built to make creating and changing any kind of text very efficient.
	It is included as "vi" with most UNIX systems and with Apple OS X.

	[AFFECTED VERSION]
	vim - vim < 9.0.2143 are affected, fixed in 9.0.2143

	[PROBLEM TYPE]
	Buffer Overflow

	[DESCRIPTION]
	vim < 9.0.2143 is vulnerable to Buffer Overflow in ex_substitute.

	[TECHNICAL DETAILS]

	./vim -u NONE -i NONE -X -Z -m -n -e -s -S poc -c ':qa!'

	==189302==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000575f at pc 0x000000534c5c bp 0x7ffc5f31ae80 sp 0x7ffc5f31ae78
	READ of size 1 at 0x60600000575f thread T0
	#0 0x534c5b in ex_substitute /home/henices/tests/vim/src/ex_cmds.c:4743
	#1 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#2 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#3 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
	#4 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
	#5 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
	#6 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#7 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#8 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
	#9 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
	#10 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
	#11 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#12 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#13 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
	#14 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
	#15 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
	#16 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#17 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#18 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
	#19 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
	#20 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
	#21 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#22 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#23 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
	#24 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
	#25 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
	#26 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#27 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#28 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
	#29 0x7a1565 in do_source /home/henices/tests/vim/src/scriptfile.c:1907
	#30 0x7a259e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1253
	#31 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
	#32 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#33 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#34 0x55edd6 in do_cmdline_cmd /home/henices/tests/vim/src/ex_docmd.c:588
	#35 0x9d95b7 in exe_commands /home/henices/tests/vim/src/main.c:3173
	#36 0x9d95b7 in vim_main2 /home/henices/tests/vim/src/main.c:790
	#37 0x9dc30f in main /home/henices/tests/vim/src/main.c:441
	#38 0x7fc67ccd1149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420)
	#39 0x7fc67ccd120a in __libc_start_main_impl (/lib64/libc.so.6+0x2820a) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420)
	#40 0x4074d4 in _start (/home/henices/tests/vim/src/vim+0x4074d4) (BuildId: f58f836b397bb305c28092d23847feabbcd502a6)

	0x60600000575f is located 0 bytes after 63-byte region [0x606000005720,0x60600000575f)
	allocated by thread T0 here:
	#0 0x7fc67d2d92ef in malloc (/lib64/libasan.so.8+0xd92ef) (BuildId: 6f17f87dc4c1aa9f9dde7c4856604c3a25ba4872)
	#1 0x40776f in lalloc /home/henices/tests/vim/src/alloc.c:246
	#2 0x407824 in alloc /home/henices/tests/vim/src/alloc.c:151
	#3 0x5347f3 in ex_substitute /home/henices/tests/vim/src/ex_cmds.c:4653
	#4 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#5 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#6 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
	#7 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
	#8 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
	#9 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#10 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#11 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
	#12 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
	#13 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
	#14 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#15 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#16 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
	#17 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
	#18 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
	#19 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#20 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#21 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
	#22 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
	#23 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
	#24 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#25 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#26 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
	#27 0x7a254e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1236
	#28 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
	#29 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#30 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994
	#31 0x79ed0e in do_source_ext /home/henices/tests/vim/src/scriptfile.c:1761
	#32 0x7a1565 in do_source /home/henices/tests/vim/src/scriptfile.c:1907
	#33 0x7a259e in cmd_source /home/henices/tests/vim/src/scriptfile.c:1253
	#34 0x7a25ec in ex_source /home/henices/tests/vim/src/scriptfile.c:1279
	#35 0x559dd1 in do_one_cmd /home/henices/tests/vim/src/ex_docmd.c:2582
	#36 0x559dd1 in do_cmdline /home/henices/tests/vim/src/ex_docmd.c:994

	SUMMARY: AddressSanitizer: heap-buffer-overflow /home/henices/tests/vim/src/ex_cmds.c:4743 in ex_substitute
	Shadow bytes around the buggy address:
	0x606000005480: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
	0x606000005500: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
	0x606000005580: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
	0x606000005600: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
	0x606000005680: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
	=>0x606000005700: fa fa fa fa 00 00 00 00 00 00 00[07]fa fa fa fa
	0x606000005780: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
	0x606000005800: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
	0x606000005880: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
	0x606000005900: 00 00 00 00 00 00 00 07 fa fa fa fa fa fa fa fa
	0x606000005980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	Shadow byte legend (one shadow byte represents 8 application bytes):
	Addressable: 00
	Partially addressable: 01 02 03 04 05 06 07
	Heap left redzone: fa
	Freed heap region: fd
	Stack left redzone: f1
	Stack mid redzone: f2
	Stack right redzone: f3
	Stack after return: f5
	Stack use after scope: f8
	Global redzone: f9
	Global init order: f6
	Poisoned by user: f7
	Container overflow: fc
	Array cookie: ac
	Intra object redzone: bb
	ASan internal: fe
	Left alloca redzone: ca
	Right alloca redzone: cb
	==189302==ABORTING

	[Reporter]
	Zhen Zhou of NSFOCUS Tianji Lab

	[Solution]
	Update vim to 9.0.2143 or newer version.

	[References]
	http://www.vim.org/
	https://github.com/vim/vim/commit/abfa13ebe92d81aaf66669c428d767847b577453

	[Disclosure Timeline]
	2023/11/28 - Issue reported to vendor
	2023-12-02 - Vendor fix the issues
	2024-01-29 - CVE Team RESERVED CVE-2024-22669 for this issue
	2021-02-04 - Public Release
No results found